The Hiscox Cyber Readiness Report 2019 published in April 2019 shows that the number of firms reporting cyber incidents has risen from 45% last year to 61% in 2019. This adds further evidence to the need for businesses of all sizes to focus their attention on information security. However, add to the threat that the risks that could come from inside the organisation, the need to be prepared is paramount. Cyber attacks and breaches from criminals might make the headlines but an equal or greater risk can come from disgruntled or unaware employees, and this can cause problems. The World Economic Forum publishes interesting reports on cyber security; this one is worth a read: 7 steps to reducing the risk of a cyber attack.
The following are some key aspects that the Hiscox Cyber readiness report has identified and how it compares to ISO 27001.
|Hiscox recommendation||ISO 27001 Control Point|
|Executive buy-in – cyber security is a priority for the board or proprietor||Clause 5.1 defines requirements for Leadership and the need for the adoption of Information Security as a strategic decision for the organisation|
|Clear strategy set by multiple stakeholders within the business||Clause 5.2 defines requirements for a Strategic Information Security policy for the organisation|
|Dedicated head of cyber or team||Clause 5.3 defines requirements for Organisational roles, responsibilities and authorities|
|Adequate cyber budget – on average, experts spend over $1 million more on cyber than novices||
Clause 6.2 defines the need to provide resources to achieve Information Security objectives
Clause 7.1 defines requirements to provide resources to manage the Information Security system and the activities within it
|Regular evaluation of supply chain, security KPIs in supply contracts||
Clause 8 defines requirements to set operational controls for all aspects of Information Security including the management of the supply chain
The Statement of Applicability identifes several areas where supplier contracts and external providers should be managed, including the need to share policies, clear access management, information transfer procedures, as well as a major requirements in Control point A.15 for Supplier Relationships
|Process – ability to track, document, measure impact||Clause 9 defines requirements for monitoring and measuring systems and information assets, including the need to log and monitor events or incidents|
|Cyber awareness training throughout the workforce||Clause 7.2 defines the need to determine required competency levels and provide education, training and experience as necessary to all relevant workers|
|Proactive testing – through simulated attacks||Clause 8 sets out requirements for the management of operational planning and control, including risk assessment and the need to put treatments in place. Part of the overall capability development might include proactive testing of systems, using penetration testing or simulated attacks. Remember that testing will ensure the process works, but exercising the process on a regular basis will hone the skills of the relevant employees|
|Regular phishing experiments||As above, Clause 8 sets out processes to treat risks, and when combined with the requirements of Clause 7.2, to provide training, regular experiments to phish can reveal useful insights and focus training on employees that need it|
|Readiness to learn, respond, and make changes after an incident||
The ISO 27001 system is based on the principle of 'Plan-Do-Check-Act'. This simple approach to improving all aspects of the management system will, when properly applied, enhance the readiness of the organisation to learn and respond to incidents and make changes.
Specifically though, Clause 10.2 sets out requirements that ensure the organisation reviews incidents and non-conformances to ensure the root cause is addressed and changes that are required are managed thoroughly and appropriately
|Cyber insurance policy in place||
Clause 6 defines requirements for actions to address information security risks and treatments, which might include insurance if the organisation deems that effective.
Clause 8, which relates to Operations has requirements relative to Incident Management, which are further outlined in the Statement of Applicability (control point A16). Control point A17, which outlines Information Security aspects of Business Continuity may also be relevant in the choice to purchase insurance and ensure that the claim process is included in your procedures
Related Articles14 controls points required for ISO 27001
If you have any further questions or want to learn more about what we can do for your business, please contact us using the link or details below:CONTACT US
Tel: 01908 255 525